HOME > VIRUS ALERTS


VIRUS ALERTS

Trojan WOW

Original issue date: September 18, 2008

It has been observed that a Backdoor named WOW is spreading in the wild. The Trojan spreads as a Windows PE EXE file, written in Delphi and packed using NsPack. The size of the packed file is 136069 bytes. After successful installation the Trojan tracks the user's HTTP requests in order to steal the credentials sends in HTTP requests.
The Trojan captures various parameters depending upon the string in the requested URL such as:

  • If the URL contains the following string "/vk/unblock_deal.php", then the Trojan gets the values of the following parameters:
    • account=
    • pin=

  • If the URL contains the string /dologin.php, the Trojan will get the value of the following parameters:
    • loginname=
    • &password=

The Trojan also captures screenshots of dialogues boxes to get the values entered within the dialogue boxes and sends this information to a remote website under the control of the attacker.

Aliases:

Trojan-PSW.Win32.WOW.el (Kaspersky Lab) is also known as: Trojan.PWS.Wow (Doctor Web), TSPY_WOW.GY (Trend Micro), TR/PSW.WOW.el.31.C (H+BEDV), Win32:Wow-W (ALWIL), PSW.Generic2.ADQJ (Grisoft), Trojan.Agent.TA (SOFTWIN), Win32/PSW.WOW.NAI (Eset)

Upon execution, the Trojan :
  • Creates a DLL file in the C:\ root directory:
    • c:\nxldr.dat

  • Copies its executable file to the Windows system directory:
    • %System32%\KB896425.log

  • Creates NetWork Logon in order to ensure that it is automatically run each time Windows is restarted:
    • [HKLM\System\CurrentControlSet\Services\NetWorkLogon]

In view of rapid propagation of the WOW Trojan, users are advised to implement the following countermeasures:

  • Search for the malicious files and processes created/initiated by the Trojan and delete the same.
  • Search for the registry entries mentioned above made by the Trojan and delete the same.
  • Keep up-to-date patches and fixes on the operating system and application software.
  • Keep up-to-date Antivirus and Antispyware signatures.

References

http://www.sophos.com/security/analyses/viruses-and-
spyware/trojwowhh.html
http://www.viruslist.com/en/viruses/encyclopedia?virusid
=130036#doc3
http://research.sunbelt-software.com/threatdisplay.aspx?
name=Trojan-PSW.Win32.WOW.ec&threatid=50256

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003